I have a user, let's call him ADMIN, now I want to give him IAM policy to create users, and s3 read write access to specific buckets and nothing else.
Now the most important part of this problem is that I want to limit this scope in such a way that only the ADMIN can create users and not the users themselves.
For example, Admin creates user 1,user 2, user 3, now these users cannot create users themselves, like user 1 should not be able to create a user 4 or so. Also these users1,2,3 should only have read write access to particular s3 buckets just as the admin and nothing else.
How do I achieve this?
With IAM Policies you can specify what actions can or cannot be taken by a given entity. In this case you can attach IAM Policies to an IAM Role or an IAM User like Admin and give this entity the rights to create IAM Users and to read/write to S3.
While you cannot specify explicitly which actions the users created by the Admin role will take from its policy document, you could limit which IAM Policies the Admin user can attach to users.
To do so you could create a custom IAM Policy that gives permissions to only read/write from a specific S3 and then allow the Admin role to be able attach only that specific IAM Policy and nothing else.
You can read more about these kind of actions and conditions in the IAM Documentation.
Related
I have an AWS account used by different people.
I want to give access to IAM Users in the IAM User Group Developer to only the resources they created. They should be able to create any resources and read and write all the resources they created.
So, when you logged as IAM User A part of IAM User Group Developer, you can read and edit all the resources IAM User A has created since the beginning. Also, you will be able to create any other resources.
I prefer to avoid using AWS Organisations. Moreover, there are resources shared across the account. There is already an Admin role and a ReadOnly role for these resources.
One solution would be to ask developers to use their AWS Accounts and permit them to access the main one with IAM Roles. However, I would like your help with a solution using only one AWS Account.
In production I just wanted to give only the required permissions in the policy for IAM user.
Currently I have given S3FullAccess Policy for the IAM user, is there any way to identify which all permissions in that s3 bucket are been utilized by the IAMuser, Do we have any kind of logs that states this? So if I could get those permissions I could create a custom policy for the user with only specific permissions that the user requires.
Use Amazon S3 server access logging, AWS CloudTrail logs or a combination of both to identify what the user is accessing from the S3 service. Here is the difference between the two approaches.
I'm planning to develop a multi tenant platform based on the AWS stack. For each customer, let's call them customerA and customerB I want to create individual resources and restrict them that customerA can't see all stuff from customerB.
The first step to set up for the customer is to set up an IAM user with rights to manage all rights for the user. So I want to give the IAM user the rights to create IAM roles and policies and assign them to users but only for the ARN with the resource name customerA__* as prefix. This way it's possible to give the user the rights to create for example roles giving dynamoDB create table rights with a role name of customerA__rolename as planned but I want to further limit it that all roles also need to be bound to this scope, otherwise customerA__deleteTable could also be used to delete customerBs tables.
So in short: Is it possible to create an IAM role that limits all rights to have the name customerA__xyz and also to limit it's scope for each created role to resources with the name customerA__*
If it's not possible any other suggestions how to set up multi tenant rights for AWS? I don't want to create a separate AWS account for each customer for separation and I doubt this can be automated in a legal way.
Thanks in advance :)
There is indeed functionality for this by writing a permission boundary that prevents an IAM user from actually granting more permissions than they already have (which would allow them to bypass this).
A permissions boundary will be evaluated before the permissions so it will take a higher precedence than any permissions a user can set.
AWS have actually created a thorough policy you can use for this use case on their How can I use permissions boundaries to limit the scope of IAM users and roles and prevent privilege escalation? documentation page.
If you add this within your account you should be able to validate that it provides the functionality that you're expecting.
I am currently learning AWS, and I stumbled upon this scenario where I want to grant access to a service to a user within the same AWS account as mine, using Roles.
So here is the detail of the scenario I am thinking of,
I am currently an admin IAM user 'A'. There is another IAM user 'B' with no access to EC2 service (infact he has access to nothing in AWS!).
I want this user B to temporarily have read-only access to EC2 instances. So I create a role, and attach a policy 'AmazonEC2ReadOnlyAccess' to it.
Now, I want 'B' to switch to this role when he logs in, so that he can view Ec2 instances.
I am aware that this can also be done by creating a group and assigning the policy to that group, and then adding this user 'B' to that group.
But I want to do this using roles.
I am not sure if this is even possible in AWS (or worse if this scenario itself is valid?), because the documentation only speaks about cross-account role switch.
Can anyone help me understand this, and let me know if this is even possible and what I need to do?
I'm not sure why you would do it like this rather than either:
Applying the role to a group and adding the user to a group
Applying the policy directly to a user.
I think you CAN do what you're trying to achieve, but only by giving the user permission to assume a role via a policy, which would mean you would have to give the user permissions via a policy or group anyway (I'm also not sure if this works for roles within the same account) - in this scenario it just makes more sense to apply the policy to the user directly, rather than doing switch roles.
If you really want to go ahead and use switch roles for this, you should be able to modify the guide here to allow you to do so:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
If you wish to add an IAM user you simply attach the user to the roles trusted entity directly, for an IAM user group it is more complicated.
An additional policy is required to add the IAM user group to the role, as it is otherwise not possible to add IAM user groups to roles. As a result you have 2 policies for each permission to give rather than just 1.
UserGroup → Policy#1 → Role → Policy#2
Policy#1 is attached to the UserGroup and has a sts:assumeRole permission for the Role
Role has a trusted entity for the account it is actually in eg. arn:aws:iam::AWS_ACC_ID:root
Policy#2 has your actual permissions, and is attached to the role.
I know what the documentation says:
Important
IAM users can't create CloudFront key pairs. You must log in using root credentials to create key pairs.
But I what to know is this restriction a permission based. Can you give that permission to IAM user?
That means the person paying the bills is privileged only to do that. IAM users cannot have these privileges even if they have full admin access.